Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
On 10 October 2013 17:06, John Kelsey wrote: > Just thinking out loud > > The administrative complexity of a cryptosystem is overwhelmingly in key > management and identity management and all the rest of that stuff. So > imagine that we have a widely-used inner-level protocol that can use strong > crypto, but also requires no external key management. The purpose of the > inner protocol is to provide a fallback layer of security, so that even an > attack on the outer protocol (which is allowed to use more complicated key > management) is unlikely to be able to cause an actual security problem. On > the other hand, in case of a problem with the inner protocol, the outer > protocol should also provide protection against everything. > > Without doing any key management or requiring some kind of reliable identity > or memory of previous sessions, the best we can do in the inner protocol is > an ephemeral Diffie-Hellman, so suppose we do this: > > a. Generate random a and send aG on curve P256 > > b. Generate random b and send bG on curve P256 > > c. Both sides derive the shared key abG, and then use SHAKE512(abG) to > generate an AES key for messages in each direction. > > d. Each side keeps a sequence number to use as a nonce. Both sides use > AES-CCM with their sequence number and their sending key, and keep track of > the sequence number of the most recent message received from the other side. > > The point is, this is a protocol that happens *inside* the main security > protocol. This happens inside TLS or whatever. An attack on TLS then leads > to an attack on the whole application only if the TLS attack also lets you do > man-in-the-middle attacks on the inner protocol, or if it exploits something > about certificate/identity management done in the higher-level protocol. > (Ideally, within the inner protcol, you do some checking of the identity > using a password or shared secret or something, but that's application-level > stuff the inner and outer protocols don't know about. > > Thoughts? AIUI, you're trying to make it so that only active attacks work on the combined protocol, whereas passive attacks might work on the outer protocol. In order to achieve this, you assume that your proposed inner protocol is not vulnerable to passive attacks (I assume the outer protocol also thinks this is true). Why should we believe the inner protocol is any better than the outer one in this respect? Particularly since you're using tainted algorithms ;-). ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
On Oct 11, 2013, at 11:09 PM, James A. Donald wrote: >> Right now we've got a TCP startup, and a TLS startup. It's pretty messy. >> Adding another startup inside isn't likely to gain popularity. > > The problem is that layering creates round trips, and as cpus get ever > faster, and pipes ever fatter, round trips become a bigger an bigger problem. > Legend has it that each additional round trip decreases usage of your web > site by twenty percent, though I am unaware of any evidence on this. The research is on time delays, which you could easily enough convert to round trips. The numbers are nowhere near 20%, but are significant if you have many users: http://googleresearch.blogspot.com/2009/06/speed-matters.html -- Jerry ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
If someone wants to try organise a pgp key signing party at the Vancouver IETF next month let me know and I can organise a room/time. That's tended not to happen since Ted and Jeff don't come along but we could re-start 'em if there's interest. S. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Plug for crypto.stackexchange.com
I've noticed quite a few questions on this list recently of the form "How do I do X?" "What is the right cryptographic primitive for goal X?" etc. I'd like to plug the following site: http://crypto.stackexchange.com/ Cryptography Stack Exchange It is an excellent place to post questions like that and get helpful answers. I encourage folks to give it a try, if they have questions like the ones I listed above. By posting there, you will not only get good answers, but those answers will also be documented in a form that's well-suited for others with the same problem to find and benefit from. I'm not trying to drive people away from this mailing list, just pointing out an additional resource that may be helpful. Or, if you're feeling helpful and community-minded, you can subscribe and help answer other people's questions there. (That site is like Stack Overflow, for those familiar with Stack Overflow, except that it is focused on cryptography. There is also a site on information security: http://security.stackexchange.com/ ) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3?
On Oct 12, 2013, at 6:51 AM, Ben Laurie wrote: ... > AIUI, you're trying to make it so that only active attacks work on the > combined protocol, whereas passive attacks might work on the outer > protocol. In order to achieve this, you assume that your proposed > inner protocol is not vulnerable to passive attacks (I assume the > outer protocol also thinks this is true). Why should we believe the > inner protocol is any better than the outer one in this respect? The point is, we don't know how to make protocols that really are reliably secure against future attacks. If we did, we'd just do that. My hope is that if we layer two of our best attempts at secure protocols on top of one another, then we will get security because the attacks will be hard to get through the composed protocols. So maybe my protocol (or whatever inner protocol ends up being selected) isn't secure against everything, but as long as its weaknesses are covered up by the outer protocol, we still get a secure final result. One requirement for this is that the inner protocol must not introduce new weaknesses. I think that means it must not: a. Leak information about its plaintexts in its timing, error messages, or ciphertext sizes. b. Introduce ambiguities about how the plaintext is to be decrypted that could mess up the outer protocol's authentication. I think we can accomplish (a) by not compressing the plaintext before processing it, by using crypto primitives that don't leak plaintext data in their timing, and by having the only error message that can ever be generated from the inner protocol be essentially a MAC failure or an out-of-sequence error. I think (b) is pretty easy to accomplish with standard crypto, but maybe I'm missing something. ... > Particularly since you're using tainted algorithms ;-). If using AES or P256 are the weak points in the protocol, that is a big win. Right now, we aren't getting anywhere close to that. And there's no reason either AES or P256 have to be used--I'm just looking for a simple, lightweight way to get as much security as possible inside some other protocol. --John ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] PGP Key Signing parties
I am one of the organizers of Security BSides Delaware, otherwise known as BSidesDE. We have already discussed having a key signing party, but if there is any interest, I'd love for any of you to be there, and potentially run it. Check out bsidesdelaware.com for dates, locations, and such. It's an academic environment, and we will have several hundred people there, from college students, to business, to infosec professionals. And we're only a couple of hours from the NSA!! ;) Nov 8 and 9th, Wilmington, DE. Any interest? Joshua Marpet On Sat, Oct 12, 2013 at 8:00 AM, Stephen Farrell wrote: > > If someone wants to try organise a pgp key signing party at > the Vancouver IETF next month let me know and I can organise a > room/time. That's tended not to happen since Ted and Jeff > don't come along but we could re-start 'em if there's interest. > > S. > ___ > The cryptography mailing list > cryptography@metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > -- *Joshua A. Marpet* Managing Principal *GuardedRisk* ** *Before the Breach **and **After The Incident!* * * 1-855-23G-RISK (855-234-7475) Cell: (908) 916-7764 joshua.mar...@guardedrisk.com http://www.GuardedRisk.com ** ** *This communication (including any attachments) contains privileged and confidential information from GuardedRisk which is intended for a specific individual and purpose, and is protected by law. If you are not the intended recipient, you may not read, copy, distribute, or use this information, and no privilege has been waived by your inadvertent receipt. Furthermore, you should delete this communication and / or shred the materials and any attachments and are hereby notified that any disclosure, copying, or distribution of this communication, or the taking of any action based on it, is strictly prohibited.* ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
